Hi,I would approach this from a different angle. Storage is comparatively inexpensive so trying to justify reducing a retention period on this basis may be hard. It may be easy to counter your argument with space is cheep, we will keep everything forever.

What is your reason for wanting to reduce the retention period? I assume you mean to get rid of some useless (not usefull [sic]) IDS alerts. Tuning is an important part of managing any IDS solution so time would be well spent reducing noise and false positives. That does not mean you have to reduce the time you keep the alerts for. You could certainly sell the need for a clean up based on the effectiveness of the system and reduced overhead on those reading the logs.

My idea is not to reduce the retention period, but to give an extra argument to get rid of many useless alerts. If they have to keep the logs for 7 years (as an ex), they must comply, but keeping garbage for 7 years...

Also, it will be a very useful exercise for all the analysts (and not only), exercise that will make them think twice before using all the default alerts.

There's a big difference between collecting and alerting. My preference is to collect as much data as feasible and then filter the data set down to a manageable level. I would rarely condone collecting less data but almost always recommend trimming alertable events, tuning, and filtering so as to not DOS the analyst. You can always expand your filters if necessary as long as you have the data.

tturner wrote:There's a big difference between collecting and alerting

Agreed. The big issue is what to expose via alerts, dashboards etc. and what to keep. If capacity is not an issue keep everything. By all means trim down on noisy alerts that add no value but let the value of this filter down. Frequently you don't know what you need until after the fact and finding out you have deleted something useful could be embarassing.

Again, look at the junk as useful as a metric. What are the number of alerts following a tuning exercise versus untuned? This is a quantifiable metric to show improvement.